amadey | 2d35c6027e35619f91d84948e53357617f7c31780b29f23ad5bc46e52de5563c

Analysis

max time kernel
57s
max time network
66s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 05:22

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

2d35c6027e35619f91d84948e53357617f7c31780b29f23ad5bc46e52de5563c.exe
Size

1.1MB
MD5

b6993ec4efe8c5c7cb57cb14ad2d228b
SHA1

8ca71391f2dbc6cb03927f66c9fc67faea4d6166
SHA256

2d35c6027e35619f91d84948e53357617f7c31780b29f23ad5bc46e52de5563c
SHA512

82830e3cc9167125d3c59a10bb44af340f8bb0ee20a42e84092920f64164c2790b54fa60661b8c5c44dd74d0b3c48a8f02fedc97be164e16ea0bbf241c74b23b
SSDEEP

24576:tyouCM/s7ZlZW63sUiGEKn+bb4GN8PXwoaVjpLjM4z3U6Um:IpCC68Up+pRo6jMsU6U

Score

10^/10

amadey healer mystic redline gruha dropper evasion infostealer persistence stealer trojan

Malware Config

Extracted

Family

redline

Botnet

gruha

77.91.124.55:19071

Attributes

auth_value
2f4cf2e668a540e64775b27535cc6892

Extracted

Family

amadey

Version

3.89

http://77.91.124.1/theme/index.php

http://77.91.68.78/help/index.php

Attributes

install_dir
fefffe8cea
install_file
explothe.exe
strings_key
36a96139c1118a354edf72b1080d4b2f

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect Mystic stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4892-40-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4892-41-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4892-42-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic
behavioral2/memory/4892-44-0x0000000000400000-0x0000000000428000-memory.dmp	family_mystic

Detects Healer an antivirus disabler dropper 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3952-35-0x0000000000400000-0x000000000040A000-memory.dmp	healer

Healer
Healer an antivirus disabler dropper.
dropper healer

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

AppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

Mystic
Mystic is an infostealer written in C++.
stealer mystic
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

t4904189.exeexplothe.exeu2915663.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	t4904189.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	explothe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	u2915663.exe

Executes dropped EXE 10 IoCs

Processes:

z9609135.exez7246784.exez1462459.exez9564647.exeq3729767.exer7975677.exes7915035.exet4904189.exeexplothe.exeu2915663.exe

pid	process
964	z9609135.exe
2712	z7246784.exe
4084	z1462459.exe
3012	z9564647.exe
5044	q3729767.exe
1104	r7975677.exe
920	s7915035.exe
1480	t4904189.exe
924	explothe.exe
3488	u2915663.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2d35c6027e35619f91d84948e53357617f7c31780b29f23ad5bc46e52de5563c.exez9609135.exez7246784.exez1462459.exez9564647.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2d35c6027e35619f91d84948e53357617f7c31780b29f23ad5bc46e52de5563c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	z9609135.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	z7246784.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	z1462459.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	z9564647.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

q3729767.exer7975677.exes7915035.exe

description	pid	process	target process
PID 5044 set thread context of 3952	5044	q3729767.exe	AppLaunch.exe
PID 1104 set thread context of 4892	1104	r7975677.exe	AppLaunch.exe
PID 920 set thread context of 3804	920	s7915035.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2460	5044	WerFault.exe	q3729767.exe
1100	1104	WerFault.exe	r7975677.exe
3076	4892	WerFault.exe	AppLaunch.exe
1988	920	WerFault.exe	s7915035.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1196 schtasks.exe

pid	process
1196	schtasks.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "229"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

AppLaunch.exe

pid process

3952 AppLaunch.exe
3952 AppLaunch.exe

pid	process
3952	AppLaunch.exe
3952	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AppLaunch.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	3952	AppLaunch.exe
Token: SeShutdownPrivilege	3552	shutdown.exe
Token: SeRemoteShutdownPrivilege	3552	shutdown.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

624 LogonUI.exe

pid	process
624	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2d35c6027e35619f91d84948e53357617f7c31780b29f23ad5bc46e52de5563c.exez9609135.exez7246784.exez1462459.exez9564647.exeq3729767.exer7975677.exes7915035.exet4904189.exeexplothe.exeu2915663.exe

description	pid	process	target process
PID 4596 wrote to memory of 964	4596	2d35c6027e35619f91d84948e53357617f7c31780b29f23ad5bc46e52de5563c.exe	z9609135.exe
PID 4596 wrote to memory of 964	4596	2d35c6027e35619f91d84948e53357617f7c31780b29f23ad5bc46e52de5563c.exe	z9609135.exe
PID 4596 wrote to memory of 964	4596	2d35c6027e35619f91d84948e53357617f7c31780b29f23ad5bc46e52de5563c.exe	z9609135.exe
PID 964 wrote to memory of 2712	964	z9609135.exe	z7246784.exe
PID 964 wrote to memory of 2712	964	z9609135.exe	z7246784.exe
PID 964 wrote to memory of 2712	964	z9609135.exe	z7246784.exe
PID 2712 wrote to memory of 4084	2712	z7246784.exe	z1462459.exe
PID 2712 wrote to memory of 4084	2712	z7246784.exe	z1462459.exe
PID 2712 wrote to memory of 4084	2712	z7246784.exe	z1462459.exe
PID 4084 wrote to memory of 3012	4084	z1462459.exe	z9564647.exe
PID 4084 wrote to memory of 3012	4084	z1462459.exe	z9564647.exe
PID 4084 wrote to memory of 3012	4084	z1462459.exe	z9564647.exe
PID 3012 wrote to memory of 5044	3012	z9564647.exe	q3729767.exe
PID 3012 wrote to memory of 5044	3012	z9564647.exe	q3729767.exe
PID 3012 wrote to memory of 5044	3012	z9564647.exe	q3729767.exe
PID 5044 wrote to memory of 2308	5044	q3729767.exe	AppLaunch.exe
PID 5044 wrote to memory of 2308	5044	q3729767.exe	AppLaunch.exe
PID 5044 wrote to memory of 2308	5044	q3729767.exe	AppLaunch.exe
PID 5044 wrote to memory of 3952	5044	q3729767.exe	AppLaunch.exe
PID 5044 wrote to memory of 3952	5044	q3729767.exe	AppLaunch.exe
PID 5044 wrote to memory of 3952	5044	q3729767.exe	AppLaunch.exe
PID 5044 wrote to memory of 3952	5044	q3729767.exe	AppLaunch.exe
PID 5044 wrote to memory of 3952	5044	q3729767.exe	AppLaunch.exe
PID 5044 wrote to memory of 3952	5044	q3729767.exe	AppLaunch.exe
PID 5044 wrote to memory of 3952	5044	q3729767.exe	AppLaunch.exe
PID 5044 wrote to memory of 3952	5044	q3729767.exe	AppLaunch.exe
PID 3012 wrote to memory of 1104	3012	z9564647.exe	r7975677.exe
PID 3012 wrote to memory of 1104	3012	z9564647.exe	r7975677.exe
PID 3012 wrote to memory of 1104	3012	z9564647.exe	r7975677.exe
PID 1104 wrote to memory of 4892	1104	r7975677.exe	AppLaunch.exe
PID 1104 wrote to memory of 4892	1104	r7975677.exe	AppLaunch.exe
PID 1104 wrote to memory of 4892	1104	r7975677.exe	AppLaunch.exe
PID 1104 wrote to memory of 4892	1104	r7975677.exe	AppLaunch.exe
PID 1104 wrote to memory of 4892	1104	r7975677.exe	AppLaunch.exe
PID 1104 wrote to memory of 4892	1104	r7975677.exe	AppLaunch.exe
PID 1104 wrote to memory of 4892	1104	r7975677.exe	AppLaunch.exe
PID 1104 wrote to memory of 4892	1104	r7975677.exe	AppLaunch.exe
PID 1104 wrote to memory of 4892	1104	r7975677.exe	AppLaunch.exe
PID 1104 wrote to memory of 4892	1104	r7975677.exe	AppLaunch.exe
PID 4084 wrote to memory of 920	4084	z1462459.exe	s7915035.exe
PID 4084 wrote to memory of 920	4084	z1462459.exe	s7915035.exe
PID 4084 wrote to memory of 920	4084	z1462459.exe	s7915035.exe
PID 920 wrote to memory of 3804	920	s7915035.exe	AppLaunch.exe
PID 920 wrote to memory of 3804	920	s7915035.exe	AppLaunch.exe
PID 920 wrote to memory of 3804	920	s7915035.exe	AppLaunch.exe
PID 920 wrote to memory of 3804	920	s7915035.exe	AppLaunch.exe
PID 920 wrote to memory of 3804	920	s7915035.exe	AppLaunch.exe
PID 920 wrote to memory of 3804	920	s7915035.exe	AppLaunch.exe
PID 920 wrote to memory of 3804	920	s7915035.exe	AppLaunch.exe
PID 920 wrote to memory of 3804	920	s7915035.exe	AppLaunch.exe
PID 2712 wrote to memory of 1480	2712	z7246784.exe	t4904189.exe
PID 2712 wrote to memory of 1480	2712	z7246784.exe	t4904189.exe
PID 2712 wrote to memory of 1480	2712	z7246784.exe	t4904189.exe
PID 1480 wrote to memory of 924	1480	t4904189.exe	explothe.exe
PID 1480 wrote to memory of 924	1480	t4904189.exe	explothe.exe
PID 1480 wrote to memory of 924	1480	t4904189.exe	explothe.exe
PID 964 wrote to memory of 3488	964	z9609135.exe	u2915663.exe
PID 964 wrote to memory of 3488	964	z9609135.exe	u2915663.exe
PID 964 wrote to memory of 3488	964	z9609135.exe	u2915663.exe
PID 924 wrote to memory of 1196	924	explothe.exe	schtasks.exe
PID 924 wrote to memory of 1196	924	explothe.exe	schtasks.exe
PID 924 wrote to memory of 1196	924	explothe.exe	schtasks.exe
PID 3488 wrote to memory of 1216	3488	u2915663.exe	cmd.exe
PID 3488 wrote to memory of 1216	3488	u2915663.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2d35c6027e35619f91d84948e53357617f7c31780b29f23ad5bc46e52de5563c.exe
"C:\Users\Admin\AppData\Local\Temp\2d35c6027e35619f91d84948e53357617f7c31780b29f23ad5bc46e52de5563c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4596

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9609135.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9609135.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:964

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7246784.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7246784.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1462459.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1462459.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9564647.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9564647.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3729767.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3729767.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:2308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 596
7⤵
- Program crash
PID:2460

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7975677.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7975677.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
7⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 540
8⤵
- Program crash
PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 588
7⤵
- Program crash
PID:1100

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7915035.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7915035.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
PID:3804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 152
6⤵
- Program crash
PID:1988

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4904189.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4904189.exe
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
6⤵
- Creates scheduled task(s)
PID:1196

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
6⤵
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:3060

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
7⤵
PID:3680

C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
7⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
7⤵
PID:2188

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
7⤵
PID:4360

C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
7⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u2915663.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u2915663.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3488

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k shutdown -s -t 0
4⤵
PID:1216

C:\Windows\SysWOW64\shutdown.exe
shutdown -s -t 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5044 -ip 5044
1⤵
PID:264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1104 -ip 1104
1⤵
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4892 -ip 4892
1⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 920 -ip 920
1⤵
PID:872

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa399e855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9609135.exe
Filesize
981KB

MD5
3d2c446c9ae466b22727740e698f9f01

SHA1
cb1ff4695ff558ada26d24737e67d54b599b6f64

SHA256
d38caf8d6d8da5ac132c633d60ba933b0945f56ed8932939132c1003b786cdea

SHA512
908f12ba82229aa184d992bd19d16664bb2719f7a5c29ea88dad60be44b7d7bee166f4bc03b458b43e60f403aececcb3ae1c7c9b5aa8bf2067a72c0e339144f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z9609135.exe
Filesize
981KB

MD5
3d2c446c9ae466b22727740e698f9f01

SHA1
cb1ff4695ff558ada26d24737e67d54b599b6f64

SHA256
d38caf8d6d8da5ac132c633d60ba933b0945f56ed8932939132c1003b786cdea

SHA512
908f12ba82229aa184d992bd19d16664bb2719f7a5c29ea88dad60be44b7d7bee166f4bc03b458b43e60f403aececcb3ae1c7c9b5aa8bf2067a72c0e339144f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u2915663.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u2915663.exe
Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7246784.exe
Filesize
799KB

MD5
ed4128a7b0b824e1f8d0212a6ea27d43

SHA1
d1a1010682bf8d1be13efdd57adad3d80425cddd

SHA256
63902c0e786d2266100a13f5778ec1c53161333b843d024db1e5f82df133f7e3

SHA512
43228d8924572a1cf3f5134b1147dcbd1ac3ec9dca76476583bad65818023f32bdf862efbf73df8681f57102e8b202d2d566ee0469608923ebde99b5e2c6fee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z7246784.exe
Filesize
799KB

MD5
ed4128a7b0b824e1f8d0212a6ea27d43

SHA1
d1a1010682bf8d1be13efdd57adad3d80425cddd

SHA256
63902c0e786d2266100a13f5778ec1c53161333b843d024db1e5f82df133f7e3

SHA512
43228d8924572a1cf3f5134b1147dcbd1ac3ec9dca76476583bad65818023f32bdf862efbf73df8681f57102e8b202d2d566ee0469608923ebde99b5e2c6fee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4904189.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4904189.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1462459.exe
Filesize
616KB

MD5
165084f946f2567081ee5853613b0392

SHA1
26cda3b1137181ec15e65e66ae0aae08af168af9

SHA256
a736a634a6682aee4d408becd9757b6ae98c73bdb6a5516fae011dbf26a330f5

SHA512
2b2ea1de81a52771a794042e7c0ef7891435c78876e0b3b8e32bea7c443c7a0abda8c4aeb7beeac0daa22cb61c724d613ac74a63935637e3a8059ebe4d859f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1462459.exe
Filesize
616KB

MD5
165084f946f2567081ee5853613b0392

SHA1
26cda3b1137181ec15e65e66ae0aae08af168af9

SHA256
a736a634a6682aee4d408becd9757b6ae98c73bdb6a5516fae011dbf26a330f5

SHA512
2b2ea1de81a52771a794042e7c0ef7891435c78876e0b3b8e32bea7c443c7a0abda8c4aeb7beeac0daa22cb61c724d613ac74a63935637e3a8059ebe4d859f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7915035.exe
Filesize
390KB

MD5
306a6f1a237c67b7d1092f0e57ffb113

SHA1
bee17f7ee614ce93c4503a99beded8b223933076

SHA256
7b5c21b2c978d2a3a4952b569903e114c420cbf26f9def9a1bd93ff462e82421

SHA512
3b550d30e80d046e44476d157cb2be573d92f3b77c9b12fd4508453a26a1e80650fe4e90da0652bc9f9e91080b9009e08a8d59771e510ff1598bc3423e01c5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s7915035.exe
Filesize
390KB

MD5
306a6f1a237c67b7d1092f0e57ffb113

SHA1
bee17f7ee614ce93c4503a99beded8b223933076

SHA256
7b5c21b2c978d2a3a4952b569903e114c420cbf26f9def9a1bd93ff462e82421

SHA512
3b550d30e80d046e44476d157cb2be573d92f3b77c9b12fd4508453a26a1e80650fe4e90da0652bc9f9e91080b9009e08a8d59771e510ff1598bc3423e01c5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9564647.exe
Filesize
346KB

MD5
34d5bc93cdd736157324ef5e05f552b9

SHA1
181c21206817fdcf3e6c1ef87a388fb228885f77

SHA256
32019428d6015fae23ba18a91f83442ab67dcbf0d2b3832e8c7de84557e1044b

SHA512
c69d30f2fe45eeb8657e43eb525168e7b980eeb584abbf53d031dd07c0224bc5795269611874b891320850e33da84dff246c23300c4c48931eeb07725a49ffe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9564647.exe
Filesize
346KB

MD5
34d5bc93cdd736157324ef5e05f552b9

SHA1
181c21206817fdcf3e6c1ef87a388fb228885f77

SHA256
32019428d6015fae23ba18a91f83442ab67dcbf0d2b3832e8c7de84557e1044b

SHA512
c69d30f2fe45eeb8657e43eb525168e7b980eeb584abbf53d031dd07c0224bc5795269611874b891320850e33da84dff246c23300c4c48931eeb07725a49ffe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3729767.exe
Filesize
227KB

MD5
de78addc1e228ffbb8f8e08cb320baa6

SHA1
7cd6c24a3de9165225951a8107aaaca05f58e95d

SHA256
3498aef634918e63a7ceda3d5a314d021a2ddadbfa935ebfd3729f91f6438752

SHA512
39b58a283bcc6b2d2e51aa7f95d62990a3e82c36686a5d84f970bc3c2a612d5bf6ca4076d57e73316340322d5d223b9529cd58e25b3fed8ecb45e6d6d39598d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3729767.exe
Filesize
227KB

MD5
de78addc1e228ffbb8f8e08cb320baa6

SHA1
7cd6c24a3de9165225951a8107aaaca05f58e95d

SHA256
3498aef634918e63a7ceda3d5a314d021a2ddadbfa935ebfd3729f91f6438752

SHA512
39b58a283bcc6b2d2e51aa7f95d62990a3e82c36686a5d84f970bc3c2a612d5bf6ca4076d57e73316340322d5d223b9529cd58e25b3fed8ecb45e6d6d39598d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7975677.exe
Filesize
356KB

MD5
ed86ec2a5af1ec907d39fc317903b52a

SHA1
6848ee6095c9f0f30a7f1670fe26086d5f2a487e

SHA256
1bdd29aba3919f7f18c07918964aa82c6d91af0db6b489d813d36822c30f344b

SHA512
760ae6a6387385c58f99ff143f40573d32ba5bc2299252a03bd6bd26e4defa1eb52aa18ec0fff8b82abea0e376585aaa2808009e1912604a3b519bd513594042

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7975677.exe
Filesize
356KB

MD5
ed86ec2a5af1ec907d39fc317903b52a

SHA1
6848ee6095c9f0f30a7f1670fe26086d5f2a487e

SHA256
1bdd29aba3919f7f18c07918964aa82c6d91af0db6b489d813d36822c30f344b

SHA512
760ae6a6387385c58f99ff143f40573d32ba5bc2299252a03bd6bd26e4defa1eb52aa18ec0fff8b82abea0e376585aaa2808009e1912604a3b519bd513594042

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
Filesize
219KB

MD5
4bd59a6b3207f99fc3435baf3c22bc4e

SHA1
ae90587beed289f177f4143a8380ba27109d0a6f

SHA256
08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236

SHA512
ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

Download Submit
memory/3804-49-0x00000000014D0000-0x00000000014D6000-memory.dmp

Filesize
24KB

Download
memory/3804-48-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3804-51-0x0000000005BB0000-0x00000000061C8000-memory.dmp

Filesize
6.1MB

Download
memory/3804-52-0x00000000056A0000-0x00000000057AA000-memory.dmp

Filesize
1.0MB

Download
memory/3804-54-0x0000000005450000-0x0000000005462000-memory.dmp

Filesize
72KB

Download
memory/3804-53-0x0000000005480000-0x0000000005490000-memory.dmp

Filesize
64KB

Download
memory/3804-55-0x00000000055D0000-0x000000000560C000-memory.dmp

Filesize
240KB

Download
memory/3804-72-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/3804-58-0x0000000005610000-0x000000000565C000-memory.dmp

Filesize
304KB

Download
memory/3804-50-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/3952-36-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/3952-35-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3952-73-0x0000000074B00000-0x00000000752B0000-memory.dmp

Filesize
7.7MB

Download
memory/4892-40-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4892-41-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4892-44-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4892-42-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads